Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Broad New Hacking Attack, Command Center in Germany

Comment: a “broad” new hacking attack, involving China but centered in Germany, has penetrated the databases of numerous corporations. In FTR #699, we examined German anxiety about U.S. coziness with China. Following the hacking attack (earlier this year) on Google, among other firms, relations between the U.S. and China became strained. Obama is now meeting with the Dalai Lama, whose counsel he had previously shunned.

Might the hacking attacks have been a German gambit to effect distance between the U.S. and the People’s Republic of China?

“Broad New Hacking Attack Detected” by Siobhan Gorman; Wall Street Journal; 2/18/2010.

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach.

A global hacking offensive has broken into U.S. companies and government agencies. Cyber attacks could soon be seen as a national security threat, WSJ executive editor Jerry Seib tells the News Hub.

The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn’t clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used. Two companies that were infiltrated, pharmaceutical giant Merck & Co. and Cardinal Health Inc., said they had isolated and contained the problem.

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier’s military email account, NetWitness found. A Pentagon spokesman said the military didn’t comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

Data stolen from another U.S. company pointed to an employee’s apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.

The spyware used in this attack allows hackers to control computers remotely, said Amit Yoran, chief executive of NetWitness. NetWitness engineer Alex Cox said he uncovered the scheme Jan. 26 while installing technology for a large corporation to hunt for cyberattacks.

That discovery points to the growing number of attacks in recent years that have drafted computers into cyber armies known as botnets—intrusions not blocked by standard antivirus software. Researchers estimate millions of computers are conscripted into these armies.

“It highlights the weaknesses in cyber security right now,” said Adam Meyers, a senior engineer at government contractor SRA International Inc. who reviewed the NetWitness data. “If you’re a Fortune 500 company or a government agency or a home DSL user, you could be successfully victimized.”

Disclosure of the attack comes on the heels of Google Inc.’s allegation that it and more than 20 other companies were breached by Chinese hackers. This operation appears to be more far-reaching, infiltrating some 75,000 computers and touching 196 countries. The highest concentrations of infected computers are in Egypt, Mexico, Saudi Arabia, Turkey and the U.S.

NetWitness, based in Herndon, Va., said it was sharing information with the companies infected. Mr. Yoran declined to name them. The company provides computer security for U.S. government agencies and companies. Mr. Yoran is a former Air Force officer who also served as cyber security chief at the Department of Homeland Security.

Besides Merck and Cardinal Health, people familiar with the attack named several other companies infiltrated, including Paramount Pictures and software company Juniper Networks Inc.

Merck said in a statement that one computer had been infected. It said it had isolated the attack and that “no sensitive information was compromised.”

Cardinal said it removed the infected computer from its network. Paramount declined to comment. Juniper’s security chief, Barry Greene, wouldn’t speak about any specific incidents but said the company worked aggressively to counter infections.

NetWitness, which does extensive work for the U.S. government and private-sector clients, said it was sharing its information with the Federal Bureau of Investigation. The FBI said it received numerous allegations about potential compromises of network systems and responded promptly, in coordination with law-enforcement partners.

The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form. It works with the FireFox browser, according to computer-security firm SecureWorks. This version included a $2,000 feature that works with FireFox, according to SecureWorks.

Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it’s easier to operate there without being caught, said NetWitness’s Mr. Yoran.

There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military, NetWitness’s Mr. Yoran said.

That attack was described in a Feb. 5 report from the Department of Homeland Security, which said it was issuing an alert to the government and other organizations to “prevent further compromises.”

A DHS official said that ZeuS was among the top five reported tools for malware infections.


One comment for “Broad New Hacking Attack, Command Center in Germany”

  1. In addition to being a useful security update on what appears to be a shockingly widespread vulnerability in a massive number of smartphones, this has got toe be one of the greatest marketing pitches for the sale of new brand new smartphones ever:

    UPDATE 1-UN warns on mobile cybersecurity bugs in bid to prevent attacks

    Sun Jul 21, 2013 1:37pm EDT

    * UN’s ITU to issue advisory to nearly 200 nations

    * Advisory is on risk identified by German researchers

    * Researchers develop remote attack on mobile SIM cards

    * Researchers say at least 500 million phones vulnerable

    By Jim Finkle

    BOSTON, July 21 (Reuters) – A United Nations group that advises nations on cybersecurity plans to send out an alert about significant vulnerabilities in mobile phone technology that could potentially enable hackers to remotely attack at least half a billion phones.

    The bug, discovered by German firm, allows hackers to remotely gain control of and also clone certain mobile SIM cards.

    Hackers could use compromised SIMs to commit financial crimes or engage in electronic espionage, according to Berlin’s Security Research Labs, which will describe the vulnerabilities at the Black Hat hacking conference that opens in Las Vegas on July 31.

    The U.N.’s Geneva-based International Telecommunications Union, which has reviewed the research, described it as “hugely significant.”

    “These findings show us where we could be heading in terms of cybersecurity risks,” ITU Secretary General Hamadoun Touré told Reuters.

    He said the agency would notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts.

    A spokeswoman for the GSMA, which represents nearly 800 mobile operators worldwide, said it also reviewed the research.

    “We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted,” said GSMA spokeswoman Claire Cranton.

    Nicole Smith, a spokeswoman for Gemalto NV, the world’s biggest maker of SIM cards, said her company supported GSMA’s response.

    “Our policy is to refrain from commenting on details relating to our customers’ operations,” she said.


    Cracking SIM cards has long been the Holy Grail of hackers because the tiny devices are located in phones and allow operators to identify and authenticate subscribers as they use networks.

    Karsten Nohl, the chief scientist who led the research team and will reveal the details at Black Hat, said the hacking only works on SIMs that use an old encryption technology known as DES.

    Nohl said he conservatively estimates that at least 500 million phones are vulnerable to the attacks he will discuss at Black Hat. He added that the number could grow if other researchers start looking into the issue and find other ways to exploit the same class of vulnerabilities.

    The ITU estimates some 6 billion mobile phones are in use worldwide. It plans to work with the industry to identify how to protect vulnerable devices from attack, Touré said.

    Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone, said Nohl, who has a doctorate in computer engineering from the University of Virginia.

    “We become the SIM card. We can do anything the normal phone users can do,” Nohl said in a phone interview.

    “If you have a MasterCard number or PayPal data on the phone, we get that too,” if it is stored on the SIM, he said.

    The newly identified attack method only grants access to data stored on the SIM, which means payment applications that store their secrets outside of the SIM card are not vulnerable to this particular hacking approach.

    Yet Nohl warned that when data is stored outside of a SIM card it could fall victim to a large range of other already known vulnerabilities, which is what has prompted the industry to put payment information on SIMs in the first place.


    The mobile industry has spent several decades defining common identification and security standards for SIMs to protect data for mobile payment systems and credit card numbers. SIMs are also capable of running apps.

    Nohl said Security Research Labs found mobile operators in many countries whose phones were vulnerable, but declined to identify them. He said mobile phone users in Africa could be among the most vulnerable because banking is widely done via mobile payment systems with credentials stored on SIMs.

    All types of phones are vulnerable, including iPhones from Apple Inc, phones that run Google Inc’s Android software and BlackBerry Ltd smartphones, he said.

    Posted by Pterrafractyl | July 22, 2013, 12:04 pm

Post a comment